SOCIAL SECURITY

November 10, 2004 To: The Honorable Jo Anne B. Barnhart Commissioner This letter transmits the PricewaterhouseCoopers LLP (PwC) Report of Independent Auditors on the audit of the Social Security Administration’s (SSA) Fiscal Year (FY) 2004 and 2003 financial statements. PwC's Report includes the firm’s Opinion on the Financial Statements, Report on Management's Assertion About the Effectiveness of Internal Control, and Report on Compliance with Laws and Regulations.

Objective of a Financial Statement Audit
The objective of a financial statement audit is to determine whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management as well as evaluating the overall financial statement presentation. PwC’s examination was made in accordance with generally accepted auditing standards, Government Auditing Standards issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin 01-02, Audit Requirements for Federal Financial Statements. The audit included obtaining an understanding of the internal control over financial reporting and testing and evaluating the design and operating effectiveness of the internal control. Because of inherent limitations in any internal control, there is a risk that errors or fraud may occur and not be detected. The risk of fraud is inherent to many of SSA’s programs and operations, especially within the Supplemental Security Income (SSI) program. In our opinion, people outside the organization perpetrate most of the fraud against SSA.

Audit of Financial Statements, Effectiveness of Internal Control, and Compliance with Laws and Regulations
The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires SSA's Inspector General (IG) or an independent external auditor, as determined by the IG, to audit SSA's financial statements in accordance with applicable standards. Under a contract monitored by the Office of the Inspector General (OIG), PwC, an independent certified public accounting firm, audited SSA's FY 2004 financial statements. PwC also audited the FY 2003 financial statements, presented in SSA's Performance and Accountability Report for FY 2004 for comparative purposes. PwC issued an unqualified opinion on SSA's FY 2004 and 2003 financial statements. PwC also reported that SSA's assertion that its systems of accounting and internal control are in compliance with the internal control objective in OMB Bulletin 01-02 is fairly stated in all material respects. However, the audit identified one reportable condition in SSA's internal control:

SOCIAL SECURITY ADMINISTRATION

BALTIMORE MD 21235-00001

Page 2 – The Honorable Jo Anne B. Barnhart

SSA Needs to Further Strengthen Controls to Protect Its Information
This same condition was found in prior year audits. It is PwC’s opinion that SSA has made notable progress in addressing the information protection issues raised in prior years. Despite these accomplishments, SSA’s systems environment remains threatened by security and integrity exposures to SSA operations.

OIG Evaluation of PwC Audit Performance
To fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit work performed, we monitored PwC's audit of SSA's FY 2004 financial statements by: • • • • • • • Reviewing PwC's approach and planning of the audit; Evaluating the qualifications and independence of its auditors; Monitoring the progress of the audit at key points; Examining its workpapers related to planning the audit and assessing SSA's internal control; Reviewing PwC's audit report to ensure compliance with Government Auditing Standards and OMB Bulletin 01-02; Coordinating the issuance of the audit report; and Performing other procedures that we deemed necessary.

PwC is responsible for the attached auditor’s report, dated November 8, 2004, and the opinions and conclusions expressed therein. The OIG is responsible for technical and administrative oversight regarding PwC’s performance under the terms of the contract. Our review, as differentiated from an audit in accordance with applicable auditing standards, was not intended to enable us to express, and accordingly we do not express, an opinion on SSA’s financial statements, management’s assertions about the effectiveness of its internal control over financial reporting, or SSA’s compliance with certain laws and regulations. However, our monitoring review, as qualified above, disclosed no instances where PwC did not comply with applicable auditing standards.

S
Patrick P. O’Carroll, Jr. Acting Inspector General

REPORT OF INDEPENDENT AUDITORS To the Honorable Jo Anne B. Barnhart Commissioner Social Security Administration In our audit of the Social Security Administration (SSA), we found: •

PricewaterhouseCoopers LLP Suite 800W 1301 K St., N.W. Washington DC 20005-3333 Telephone (202) 414 1000 Facsimile (202) 414 1301 www.pwc.com

The consolidated balance sheets of SSA as of September 30, 2004 and 2003, and the related consolidated statements of net cost, of changes in net position, and of financing and the combined statements of budgetary resources for the years then ended are presented fairly, in all material respects, in conformity with accounting principles generally accepted in the United States of America; Management fairly stated that SSA’s systems of accounting and internal control in place as of September 30, 2004, are in compliance with the internal control objectives in the Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, requiring that (1) transactions be properly recorded, processed and summarized to permit the preparation of the consolidated and combined financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions are executed in accordance with laws governing the use of budget authority, other laws and regulations that could have a direct and material effect on the consolidated or combined financial statements or Required Supplemental Stewardship Information (RSSI) and any other laws, regulations and government wide policies identified in Appendix C of OMB Bulletin No. 01-02; No reportable instances of noncompliance with the laws, regulations or other matter tested.

The following sections outline each of these conclusions in more detail. OPINION ON THE FINANCIAL STATEMENTS We have audited the accompanying consolidated balance sheets of SSA as of September 30, 2004 and 2003, and the related consolidated statements of net cost, of changes in net position, and of financing and the combined statements of budgetary resources for the years then ended. These financial statements are the responsibility of SSA’s management. Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 01-02. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion. In our opinion, the consolidated and combined financial statements referred to above and appearing on pages 146 through 167 of this performance and accountability report, present fairly, in all material respects, the financial position of SSA at September 30, 2004 and 2003, and its net cost of operations, changes in net position, budgetary resources and financing for the years then ended in conformity with accounting principles generally accepted in the United States of America.

REPORT ON MANAGEMENT’S ASSERTION ABOUT THE EFFECTIVENESS OF INTERNAL CONTROL We have examined management’s assertion that SSA’s systems of accounting and internal control are in compliance with the internal control objectives in OMB Bulletin No. 01-02, requiring that (1) transactions be properly recorded, processed and summarized to permit the preparation of the consolidated and combined financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; and (2) transactions are executed in accordance with laws governing the use of budget authority, other laws and regulations that could have a direct and material effect on the consolidated or combined financial statements or RSSI and any other laws, regulations and government wide policies identified in Appendix C of OMB Bulletin No. 01-02 as of September 30, 2004. We did not test all internal controls relevant to the operating objectives broadly defined by the Federal Managers’ Financial Integrity Act of 1982. SSA’s management is responsible for maintaining effective internal controls. Our responsibility is to express an opinion on management’s assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA), the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States, and OMB Bulletin No. 01-02 and, accordingly, included obtaining an understanding of the internal control, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. In our opinion, management’s assertion that SSA’s systems of accounting and internal control are in compliance with the internal control objectives in OMB Bulletin No. 01-02, requiring that (1) transactions be properly recorded, processed, and summarized to permit the preparation of the consolidated and combined financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; and (2) transactions are executed in accordance with laws governing the use of budget authority, other laws and regulations that could have a direct and material effect on the consolidated or combined financial statements or RSSI and any other laws, regulations and government wide policies identified in Appendix C of OMB Bulletin No. 01-02, is fairly stated, in all material respects, as of September 30, 2004. However, we noted certain matters involving the internal control and its operation, set forth below, that we consider to be a reportable condition under standards established by the AICPA and by OMB Bulletin No. 01-02. Reportable conditions are matters coming to our attention, that in our judgment, should be communicated because they represent significant deficiencies in the design or operation of the internal control that could adversely affect SSA’s ability to meet the internal control objectives in OMB Bulletin No. 01-02 previously noted. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that errors, fraud or noncompliance in amounts that would be material in relation to the consolidated or combined financial statements or RSSI being audited, or material to a performance measure or aggregation of related performance measures, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. We believe that the reportable condition that follows is not a material weakness as defined by the AICPA and OMB Bulletin No. 01-02. SSA Needs to Further Strengthen Controls to Protect Its Information: During FY 2004, SSA management corrected many of the issues previously noted regarding physical security at the Disability Determination Service (DDS) sites and enhanced continuity of operations activities, including testing of

newly developed continuity procedures for Regional Office (RO), Program Service Center (PSC) and DDS sites. Additionally, significant progress was made on the Standardized Security Profile Project (SSPP). During the year: • • • • • • Access assignments of operations personnel to access application transactions for all major SSA systems identified and defined by SSA management as critical to operations, were identified, reviewed, adjusted and confirmed; Datasets were identified for major systems defined by SSA management as critical to operations; New profiles and procedures were created to control access to the datasets within the critical applications identified and defined by SSA management; Many of the new profiles for granting update access to the datasets of the critical applications were established and vetted; New procedures were implemented to ensure new datasets were named in accordance with naming standards and that these datasets included descriptions to allow users to readily understand their contents; and, Procedures and plans were honed to continue the process to ensure controlled access to system datasets, including continuance of the SSPP.

Although significant progress has been made regarding logical security controls, we note the need for continued progress regarding the certification of security access assignments to system datasets within critical applications. Testing disclosed that systems employees still have direct update access to many of the datasets within the critical applications without consistent auditing. Further, at the time of our audit too many employees had been granted update access to allow reasonable review of their activities to be considered an effective control. We also noted that security configurations had not been developed for all of the servers in use in SSA’s distributed processing environment. Additionally, some server security configurations required update and enhancement. Distributed server security configurations represent a key control in ensuring security of the SSA network. Specific disclosure of detailed information about these exposures might further compromise controls and are therefore not provided within this report. Rather, the specific details of weaknesses noted are presented in a separate, limited-distribution management letter. The need for a strong security program to address threats to the security and integrity of SSA operations grows and transforms as the Agency continues to progress with plans to increase dependence on the Internet and Web-based applications to serve the American public. Clear, continued and measurable progress has been made towards the establishment of a strong overall security program. However, to more fully protect SSA from risks associated with the loss of data, loss of other resources or compromised privacy of information associated with SSA’s enumeration, earnings, retirement and disability processes and programs, SSA must further strengthen its security program. Specifically, further progress is needed in the area of access assignments to application systems data and programs by systems personnel, including the continual review of systems access, and in the assurance that security configuration standards for distributed servers are established, kept current, and enforced. Recommendations We recommend that SSA continue its efforts to enhance information protection by continuing to implement the remaining portions of the SSPP and through the establishment, refinement and enforcement of procedures to ensure standard security configurations for distributed servers. More specific recommendations focused upon the individual exposures we identified are included in a separate, limited-distribution management letter. We noted other matters involving the internal control and its operation that we will communicate in a separate letter. INTERNAL CONTROL RELATED TO KEY PERFORMANCE INDICATORS AND RSSI With respect to internal control relevant to data that support reported performance measures on pages 42 to 65 of this performance and accountability report, we obtained an understanding of the design of significant internal control relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02. Our

procedures were not designed to provide assurance on the internal control over reported performance measures and, accordingly, we do not express an opinion on such control. In addition, we considered SSA’s internal control over RSSI by obtaining an understanding of SSA’s internal control, determined whether these internal controls had been place in operation, assessed control risk, and performed tests of controls as required by OMB Bulletin No. 01-02 and not to provide assurance on these controls. Accordingly, we do not provide an opinion on such controls. REPORT ON COMPLIANCE AND OTHER MATTERS The management of SSA is responsible for compliance with laws and regulations. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we performed tests of compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02, including the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of 1996. We limited our tests of compliance to these provisions, and we did not test compliance with all laws and regulations applicable to SSA. However, providing an opinion on compliance with those provisions was not an objective of our audit and, accordingly, we do not express such an opinion. The results of our tests of compliance disclosed no instances of noncompliance with laws and regulations discussed in the preceding paragraph exclusive of FFMIA or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 01-02. Under FFMIA, we are required to report whether SSA’s financial management systems substantially comply with the Federal financial management systems requirements, applicable Federal accounting standards, and the United States Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA section 803(a) requirements. The results of our tests disclosed no instances in which SSA’s financial management systems did not substantially comply with the three requirements discussed in the preceding paragraph.

OTHER INFORMATION The Management’s Discussion and Analysis (MD&A) included on pages 1 to 2 and 7 to 80, Required Supplementary Information (RSI) included on pages 172 to 173, and Required Supplementary Stewardship Information (RSSI) included on pages 174 to 192 of this performance and accountability report, are not a required part of the financial statements but are supplementary information required by the Federal Accounting Standards Advisory Board and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of the MD&A, RSI and RSSI. However, we did not audit the information and express no opinion on it. Our audit was conducted for the purpose of forming an opinion on the consolidated and combined financial statements of SSA taken as a whole. The Schedule of Budgetary Resources, included on page 172 of this performance and accountability report, is not a required part of the consolidated or combined financial statements but is supplementary information required by OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. This information and the consolidating and combining information included on pages 168 to 171 of this performance and accountability report are presented for purposes of additional analysis and are not a required part of the consolidated or combined financial statements. Such information has been subjected to the auditing procedures applied in the audit of the consolidated and combined financial statements and, in our opinion, are fairly stated in all material respects in relation to the consolidated and combined financial statements taken as a whole. The other accompanying information included on pages 3 to 6, 81 to 145, 193 to 194 and 200 to the end of this performance and accountability report, are presented for purposes of additional analysis and are not a required part of the financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the consolidated and combined financial statements and, accordingly, we express no opinion on it. ***** This report is intended solely for the information and use of management and the Inspector General of SSA, OMB, the Government Accountability Office and Congress and is not intended to be and should not be used by anyone other than these specified parties.

November 8, 2004